International Journal of Wireless Networks and Communications. Volume 1, Number 2 (2009), pp. 193 -- 200 © Research India Publications http://www.ripublication.com/ijwnc.htm
An Agent-Based Framework to Counterattack DDoS Attacks Dr. Dimple Juneja1*, Reshma Chawla2 and Aarti Singh3 1
Professor, *Corresponding Author E-mail:
[email protected] 2 Lecturer, E-mail:
[email protected] 3 Lecturer, E-mail:
[email protected] M.M. Institute of Computer Technology & Business Management, M.M. University, Mullana, India
Abstract Distributed Denial of Service (DDoS) attack combines resources of multiple Zombies (Compromised Systems) to attack a single victim making it impossible for victim to work any further. DDoS is one of the various supreme challenges and the existing literature reveals the fact that although there exists various mechanisms to handle the same but still there exist a gap amongst the security requirements & existing mechanisms. Therefore, a mechanism that is strong and reliable is desired. Software agents seem to be a strong candidate for defending DDoS attack. This work highlights the importance of software agents as a security staff for avoiding DDoS attacks. Also it proposes a multi agent framework for detecting, protecting and source tracing DDOS attack.
Introduction With the movement of businesses form private to public networks, e-media gives summons to the unnecessary intrusion. According to a report1 different way that the hackers might be using in 2009 will be through social media sites, Portable Document Format (PDF) and flash files etc. Despite of huge increase in direct IT security expenditures, which are expected to reach $79 billion annually by 20102, the impact 1
Predicting Cybercrime In 2009!.htm Information Security Products & Services – Global Strategic Business Report, Global Industry Analysts, Inc., July 2007. 2
194
Dr. Dimple Juneja et al
of such attacks has not reduced. Unfortunately there is no universal solution that can provide fool-proof security services due to Internet’s distributed nature [Pleeger, 1997][Losco, 1998]. Generally, non-exploitable & law enforced policies are some desirable requirements of framework for responding to DDoS attacks. A recent cyber attack is on UK MoD system security where a hybrid computer virus/worm (January 2009) penetrated the security system. This work aims to incorporate software agents as an element of network security so as to ensure that the business can continue to process legitimate traffic while under attack; and create a scalable, adaptable solution that addresses DDoS attacks now and in the future.This paper is structured as follows: Section 2 introduces DDoS attack and discusses the current security scenario. Section 4 justifies the need of software agents as security staffers. Section 5 proposes multi agent framework for detecting, protecting and source tracing DDOS attack. Finally Section 6 concludes with pros and corns of proposed framework.
Background: DDoS Attacks Distributed Denial-of-Service (DDoS) attack is the one in which the victim,s network elements are bombarded with high volume of fictitious attacking packets that originate from a large number of machines [Kim et.al,2007]. A successful attack allows the attacker to gain access to the victim’s machine, allowing stealing of sensitive internal data and possibly cause disruption and denial of service (DoS) in some cases. DoS incidents in any organization posses a big challenge and are increasing at a very high speed. Nearly 40 % of total attacks faced by business on Internet are Denial of service (DoS) attack. Out of the various categories of DoS attack such as flooding, software exploit, protocol based etc Distributed Denial of service attack is the most prominent. In fact, DDoS attack uses series of Zombies to initiate a flood attack against an unsafe single site. DDoS attack is initiated in 2phases [Mirkovic and Reiher 2004] [Dietrich et al. 2000]: Recruiting phase: - Attacker selects the machine by injecting a malware. Action phase: - Selected machines send attack packets to the victim after the attacker’s command. Trinoo, tribe flood network, stacheldraht, shaft, mstream etc [Gong, 2003] are some tools to activate DDoS attacks. Today protocol based initiated DDoS attacks are tough to handle because they don’t require any special privileges on the part of attacker. Numbers of proposals are given to either defend or prevent against DDOS attack such as starting from increasing the resourced at defender side, implementing authentication policies at routers, filters, firewalls with hardware security appliances, Learning based mechanisms, agents based detection at host level or at immediate level etc but none of them has proved to be the best, addressing all the challenges. Therefore there is a strong need to bridge the existing gaps among various security solutions.
An Agent-Based Framework to Counterattack DDoS Attacks
195
Related Work This section presents the related works & explores various challenges in the DDoS attack. An Electronic attacks on Ethiopia in 2007 unrevealed extreme face of cyber attacks3. These were denial of service attacks, where an attacker floods the target network with bogus messages, causing its servers to slow or shut down4. Georgia Tech Information Security Center (GTISC) believes strongly that a proactive and collaborative approach to understanding emerging threats will be helpful in developing more effectual information security technologies and strategies [Ahamad 2008]. Lee described the DDOS attack architecture and proposes taxonomies to characterize the scope of DDOS attack, the characteristics of software attack tools used and the countermeasures available. But emphasized on the need of more comprehensive solutions and counter measures to DDoS attacks [Lee et al, 2004]. Authors [Gresty, 2001] raised some important issues and solution pertaining to network security demonstrating the requirements for a framework for the management of response to network DoS incidents. The work provided by Catherine [Meadows,2000] proposed a framework for evaluating a protocol for defending DoS attack involving resource exhausting that is intended to make maximum use of available tools that are applicable to cryptographic protocols & that can be applied to any protocol that uses authentication, weak or strong to protect against denial of service. Researchers [Hussain, 2003] introduced a framework for classifying DoS attack based on header contents, ramp-up behaviors and novel techniques based on spectral analysis. With this they agree on when large attacks occur like root server attack additional-detection sites would provide more insight when projecting the prevalence of DoS activity on the internet. Although Parashar [Parashar 2005] suggested an approach of detecting a DDOS attack within the intermediate network by using a gossip based communication mechanism to exchange information about the overall network attack observed but Zhang [Zhang, 2005] concluded that if more intelligent gossip strategies are used then overhead while detection can be reduced. Hacker can use different ways for executing attacks successfully. Authors [Seufert and O’Brien 2007] explores the effectiveness of machine learning techniques in developing automatic defense against DDoS attacks based on artificial neural networks but these techniques has not been extended for multiple algorithms. Now, turning our attention to software agents that can act as security provider to counterattack DDoS attacks. Stefan proposed a simulation environment which offers an agent based simulation approach, packet-based simulation of attacks and defense 3 4
InternetNews Realtime IT News – Is Cyberterrorism' aReal Threat.htm James A. Lewis,”Cyber Attacks Explained” June 15, 2007. http://www.csis.org/media/csis/pubs/070615_cyber_attacks.pdf
196
Dr. Dimple Juneja et al
systems and capability to add new attacks and defense methods and investigate them but there is a strong desire to improve functionality of the simulation environment and further investigate new defense mechanism for better output [Kotenko and Ulanov, 2007]. The upcoming section discusses the exploitable characteristics of software agents that make them quite suitable as security staffers.
Software Agents as Security Staffers “An agent is any hardware or software entity which is autonomous and has the ability to act on behalf of others, can perceive the changes in the environment and react according to them with the help of features like mobility, learning ability etc.” The software agents not only provide the competitive advantage by improving process quality but also integrate the new technology and specialized expertise. Agent technology finds its applications in wide areas such as user interfaces, mobile computing, information retrieval and filtering, smart messaging, telecommunications and the electronic marketplace. The software agents are inherently autonomous, proactive, reactive, benevolent and rational. The smart agents interact with each other in a multi-agent system in various ways. The clusters of agents in a multi-agent framework are competitive, cooperative, and task-oriented and can also provide an interface to users. The characteristics that motivate the use of software agents as security monitoring functions are: autonomy, fault tolerant, resists subversion, configurable, robust, dynamic-configuration, and information providers, task-oriented, scalable, and atomic and isolated [Spafford et, al 2000], The agent architecture also reveals software reusability. Many security mechanisms have been proposed to mitigate agent-toagent, agent-to-platform, and platform-to-agent security risks. Once designed, agents can interchange their roles in order to fulfill the user’s demand. The aim of incorporating software agents as an element of network security is to ensure that the business can continue to process legitimate traffic while under attack; and create a scalable, adaptable solution that addresses DDoS attacks now and in the future. The agent-based framework is proposed in the upcoming section.
The Proposed Framework This section proposes multiagent framework, which aims to detect, prevent & perform source tracing of DDoS attack at a network site. A pictorial representation of the framework is given in a figure 1. Primarily the proposed frame work comprises of 4 components namely Mobile Agents (MA), Host Agents(HA),Controller(C)and Filter(F). Mobile Agents (MA): MAs are deployed as the main communication entities that provide information from source to destination. Each mobile agent is authorized to
An Agent-Based Framework to Counterattack DDoS Attacks
197
move from and within a network of hosts so as to gather information and forward to collectors at the destination end. MAs are provided with a history buffer to maintain record of immediate sender, which is refreshed periodically. Host Agents (HA): Every host has its own set of HA's to gather information provided by filters. Filters will provide filtered information to HA of the destined computer.
Figure 1 : Proposed Framework
Controller: It process information gathered by MA periodically and if the filters detect any DDOS then it take appropriate action. It also check for that if agents should not acting as an compromised machine if it is then locate that master and communicate to rest of the networks or hosts therefore doing source tracing. Filters: Filters hold the criterion of DDoS attack check. Also contains the block IPs & update it periodically & immediately in case an unauthenticated source is traced. The flowchart and algorithms of the proposed framework are given in the next subsection. Flowchart Primary responsibility of MA is to receive information not only from its neighboring MAs but as well as from the controllers employed at source. The MA then forwards the same to the Controller employed at destination. Controller forwards it to the filter for its verification which employs detection mechanisms such as Threshold Limit, Signatures, Doubtful source etc, to decide if it is a DDoS scenario. If true, alerts the controller about the current incoming traffic and blocks all incoming traffic for a certain time. Controller then forwards the same alert messages to all connected MAs which actually, is responsible to trace the source of attack. In case of DDoS attack controller check the immediate HOP for the authentication. If authentic, the next hop is checked otherwise alert is sent to all nodes about the compromised hop. This framework uses bottom-up approach for source tracing. The flowchart depicting the working of the framework is given in the figure 2.
198
Dr. Dimple Juneja et al
Figure 2 : Flowchart of Proposed Framework
Algorithms of various agents Algorithms for the Mobile Agent, Filter, Controller and Host Agent are given in Fig2(a), Fig2(b), Fig2(c) and Fig2(d) respectively.
Conclusions and Future Work Due to the migration from private intranet to the public Internet, organizations have become too much prone to the attacks initiated by the hackers for their erroneous purposes. Therefore, security of the original data becomes the biggest issue in front of the owner. This work proposed a framework that detect, prevent & traces the source of the attack. The framework has a capability of tracing a source apart of detecting any attack but still it is not sure that how many software agents shall be employed so as to work optimally. Trusting the validity of an agent is still a big issue that can be handled in a future.
An Agent-Based Framework to Counterattack DDoS Attacks
199
Figure 2 : (a) Algorithm for Mobile Agent; (b) Algorithm for Filter; (c) Algorithm for Controller; (d) Algorithm for Host Agent
References [1] J. Mirkovic and P. Reiher, “A Taxonomy of DDoS Attack and DDoS Defense Mechanisms,” ACM SIGCOMM Computer Communications Review, Volume 34, Number 2, April 2004, pp. 39-53. [2] Alefiya Hussain, John Heidemann, and Christos Papadopoulos” A Frame Work For Classifying Denial Of Service Attacks” ACM SIGCOMM Computer Communication Review. Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications, August 2003 #99-110. [3] Catherine Meadows “A Frame Work for Denial Of Service Analysis” Code 5543, Naval Research Laboratory.
[email protected] [4] C. P. Pfleeger, “Security In Computing”, 2nd ed., Prentice Hall PTR, Upper Saddle River, NJ, 1997 [5] D Bénech, T Desprats, And Y Renaud, "KQML-CORBA Based Architecture for Intelligent Agents, Communication in Cooperative Service and Network
200
[6]
[7] [8]
[9] [10] [11]
[12] [13] [14] [15]
[16]
[17]
[18] [19] [20]
Dr. Dimple Juneja et al Management", Proceeding 1st IFIP Conference on Management of Multimedia Networks and Services,vol.112, 8 July 1997 # 95 - 106. D.W. Gresty, Q. Shi, and M. Merabti, "Requirements for a General Framework for Response to Distributed Denial-of-Service," Proc. 17th Ann. Computer Security Applications Conf., IEEE CS Press, 2001, pp. 422–429. Dr Fengmin Gong” Deciphering Detection Techniques: Part III Denial Of Service Detection Mcafee Network Security Technologies Group Jan 03 Dietrich, S., Long, N., and Dittrich, D. 2000. Analyzing distributed denial of service attack tools: The shaft case. In Proceedings of 14th Systems Administration Conference. New Orleans, Louisiana, USA, 329-339. Eugene H. Spafford, Diego Zamboni: Intrusion detection using autonomous agents. Computer Networks Vol-34,issue-4, pp# 547-570 (2000) Guangsen Zhang, Manish Parashar Cooperative Mechanism Against DDoS Attacks SAM 2005, June 20-23, 2005 pp#86-96 ,
[email protected] Igor Kotenko And Alexander Ulanov “Agent-Based simulation environment and experiments for investigation of internet attacks and defense” Proceedings 21st European Conference On Modelling And Simulation ECMS 2007 Mustaque Ahamad, Dave Amster “Emerging Cyber Threats Report For 2009” GTISC Emerging Cyber Threats Report 2008 Ousterhout, J, “TCL: An Embeddable Control Language”, USENIX Conference, 1990. pp. 133-146 P Maes, RH Guttman, And AG Moukas. "Agents That Buy and Sell," Communications Of The ACM, Vol.42,No.3, March 1999, Pp.81-91. P.A. Loscocco Et Al, “The Inevitability Of Failure: The Flawed Assumption Of Security In Modern Computing Environments”, Presented At NIST’98, 1998. Http://Csrc.Nist.Gov/Nissc/1998/Proceedings/Paperf1.Pdf Stephen M.Specht, Ruby B.Lee “Distributed Denial Of Service: Taxonomies Of Attack, Tools And Countermeasures” Proceedings Of The 17th International Conference On Parallel And Distributed Computing Systems, 2004 International Workshop On Security In Parallel And Distributed Systems, Pp.543-550, September 2004. Stefan Seufert and Darragh O’Brien, “Machine Learning For Automatic Defence Against Distributed Denial Of Service Attacks” IEEE Communications Society, ICC 2007 .#1217-1222 Top Layer “The Importance Of Denial Of Service (Dos) Security Appliances” Top Layer Networks 1st September 2002 Y Shoham, "Agent-Oriented Programming," Artificial Intelligence, Vol. 60, No. 1, 1993, Pp. 139-159. Yoohwan Kim, Wing Cheong Lau, Mooi Choo Chuah And Jonathan H. Chao “Packetscore: Statistical-Based Overload Control Against Distributed DenialOf-Service Attacks” IEEE INFOCOM 2004 ,The 23rd Annual Joint Conference of the IEEE Computer and Communications Societies, Hong Kong, China, March 7-11, 2004. IEEE, 2004.
